úûúuüûüuuuüuu 


QÑ x a*i * | pounn 
xs Lo 
N ul w 
NUZ = 
Z 2 < = š 
E8 = š 
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Who makes this ? 


Hi l sur Sulial T look kind of \ike this: 


=m A ge 


I found out last year +hat understanding Your 


Operating system S internals makes you a 









WAN BETTER 
PR 0 G RAMMER 


yay 4 g 9 


I+ was SO FUN and T wanted to tell 
EVERYONE. So Im telling you! Ue ll 


WV WUY 


Sura ! blog: jvns.ca 
find me at: ~ @ b @rk 


email . Jvlia@ )vns. ca. | 


— 
— 
— wees ees _ U — < x x i ei s ee 


— — — — — =< 


9a Tiny manifesto Y 


operating Systems are 
Pi Bee? D-a". SA 


5 SÁWESOME š 


— aN 
PE E k 8 


the strace zine thinks: 
~ Your computer 1S Your S$ 


- Your OS is yout ss 


` Open licenses mean You Can 
KEAD AND CHAN GE THE Copel! 


- Linux is REALLY COGL 


— —> ——> —2 a A —— —> -— —— —>—> —> -> — YORKER OY -? -2 — 2 —> > — 


LET'S GO LEARN o 


I-?—>- -> —? —> —> 


— > 


=> —> — —> —> — its really Fun = — — — — — 


what is this strace thing 1??? 


pronounced 
¿V ess-trace 





— a w w w a] 


) 
| strace | IS a program on Linux 


— x w 


Spy on 
thet lets you tnspeet what a program 
1S doing without 


- a debugger 

- or the source code 

-or even knowing the prog ramming 
language ot all (2121 how can iF be?) 


Basically strace makes You oN 


1Z2ZZ 7 ⁄ Z Z 


=WIZARDS S 


\ 
 Z¿⁄⁄ 411 


To unde cstand how this works, let's 


Talk a little about $ Operating 
Systems 


Who you should Y your 


PEPPRA Z#⁄⁄ ⁄“ ““ -_ 
+ Soperating system ~ Jr 


Me byes rerli' 
Some things iT does For you: 


-understands how your hard drive works and 
how the file System on it organizes the bytes 
into files so ysu can just read the file X 


-runs code every time Yoo press a key So 
that You can type 


z implements networkin Protocols like TCP/IP so 


that you Can get webpages pictures of cats 


from the internet 
Ü keeps track of all the memory every Process 1S USING 


Š basically Knows ever ything about how all your 
hardware works so you Can just write 
Programs Q 









but Wait, Salia, how do m 
use all this great stuff the 
Operating System choes ¢ 


You 


pro 9 Cams 






Ama; ) 


Vo vl A Y 





nee 


System calls are the APE fo 
your operating system, — 


ean to open a file? use and then 
[read] and Were) toit. 


Sending data over a network ¢ Use 
Fo open a connection and and 


Pictures of cats. 


Every program on your compuer is usin 
System calls all the time to Manage MeMOrY, 
write files, do networking, and lots more. 


a first cop of strace 


Vou might think with all this tolk 


of Operating systems and System 
calls that OSino strace is hard. 


O etting stacted is easy T T£ You 
have a Linux machine ,I want You 


to try it RIGHT Now. 


— wu < < w = vuy 


’ i> a, 


| 
Kon: 1 Stra ce ls ' timed 


 —n qu. “s E rrOWan 


There's a LOT af output and it's pretty 
confusing at First. T ve annotated Some 


for you on the next page. < 








try stracing more programs! Oooale the 
System calls V Don't worry if Yoo don't 
Understand everything T T suce dont! 






annotated strace 


When You run strae, you'll see thousands of lines of 
out put kke this: 


$ strace ls /home/bork/blah 


execve ("/bin/1ls", ["ls", "/home/bork/blah"], [/* 62 vars 
*/]) = O 
brk (NULL) = 0xb67000 
open ("/etc/ld.so.cache", O RDONLY|O CLOEXEC) = 3 
open ("/proc/filesystems", O RDONLY) = 3 
. omitted ... 


open ("/home/bork/blah", O RDONLY|O NONBLOCK|O DIRECTORY) = 
3 


fstat(3, {st_mode=S IFDIR|0775, st_size=168, ...}) = O 
getdents(3, /* 3 entries */, 32768) = 80 
getdents(3, /* 0 entries */, 32768) = 0 


close (3) = 0 
fstat(1, (st mode=S IFCHR|0620, st_rdev=makedev (136, 
5), ...)) = O 


write(1, "awesome fileNn", 13) = 13 
close (1) = 0 
close (2) = 0 


exit group (0) ? 


STudies show this is not self- explanatory 


(me Asking my frieads if it makes sense and NOPE NOPE) 


< let's learn how to interpret strace output x 


11999 ee eee = 
© © Ô @ 
© The process LD (included when you run strace -f ) 
@) The name of the System call (execve starts programs a) 
@ The system calls arguments, in this case a program to 
Start and the argum ents to start it with 
G) The return value 


Still ene name 


open with 
sys call 


Filetoopen read/write permissions 
+ 


Open (“awesome.txt’, O_RDWR) = 3 * descriptor 


The 3 here isa File descriptor number, Internally, 
Linux tracks open Files with numbers V You can see all 


the file descriptors for process TD 47 and what 
they point to by doing 


‘eà Pe gto 
- | /proc 42 #4 gae 8 


«prot 
sie aesth?? 


number of 


+ ; x bytes read 
read(3, “wow! yay!) =4 


what got read 
ç 


TF you don't understand something in your strace out put 


e Al 


ITS normal! There are lots of syscalls. 


. try reacting the man eee for the system call} 
(man fi open ` 


? 


S=. gh a a Z= 


° remember that jost understanding 
read + wrile + Open * execve 


Can take you a long waye 


open 


once 
Upon 


=X 


write 
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mu favorite 


Have you ever not been sure what 
configuration files a program is Using ¢ 
THAT NEVER NEEDS to HAPPEN TO 

YOU AGAIN “YY. Skip the docs 

and head straight for: 


cap gs ea ca oe — 
— —— — ‘M ‘M 
_ ~ — — o -n 6 ma ew ewe rw” 


' strace -f -e open mplayer Rick- Astley. mp3! 


<— — — — — < — — ee — — = æ < — < = 
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, 
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! 
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) 
’ 
| 
' 
' 
l 


Programs write logs. 


TH you Ire sure your program iS writing 
Very Important Information t but dont know 


what or where, !Strace -e write | 


May be for you. 


read ' iS pretty great too. 


Connect Sometimes a program is Sending 


IOWUOIOIOG 10100 | 
° senato q 
° x 

O 
i ae k 


oooi 101000 


x * 
execve 
34 


< strace -f -e execve ./secipt.rb | 


network requests to another machine 
and Í want to Know WHICH MACHINE. 


Por ty te te 


i Strace -e€ conne q: 


iaus me every LP address o. program 
connects to. 


What's Fun? Spying on network activity 
is Fun. Tf you have an HTTP service and 
you're debugging and totally at your 
wits’ end , maybe it's time to look at 
what's REALLY EXACTLY being sent 
over the network... 


these are your pals Q 


On my first day of work, a Ruby 
Script that ran some ssh commands 
wasn't working. Oh nol 


But who wants to read code to find 
Out why í ugh. 


—_—— = == omen 
w m m m a „ane - _ 
— ~ ls = 


`~ 


= — — — — — — 


- 
= =m X —— < < s s 


told us what the problem ssh 
Command was, and we fixed it! 


strace Command line 
f lags 19 


overwhelmed by all the System calls 
(YOu dont understand ? Try 
[ 


-- 
= =. s 
_ — I 





strace -e open ' 


_ 
_ 
_ 
Dati ale tame a sm se 


and it'll just show yov the opens. much simpler Y 


4 

SOC “7 Z Z7ZZZ—. 

Does your program stort x Sob prosses}? ? a 
—— eres ) ° ° 


Use to see what those are doing too. 
Or just always use -f | That's what T do. 


is Foc 


Follow 


Na 
| “OH NO í STARTED THE PROGRAM 
| © HOURS AGO ANO NOW í WANT To 
| 
l 


° 


STRACE IT” 


is for 
PID 


Do not worry | Sust Find your 
Process s PID (like 747) and 


— — — < s 


4 Strace -p 74 72 


— — 
~- — — — —-—- 





Sometimes Im looking at the output 
OF arecvfrom and it's like: 


W 3 
is for ' j 
str ings )| recvtrom (6, And then the monster... ) 


and OH NO THE SUSPENSE. 


iStrace -s 800 } I will show you the first 
900 chakacha of each String. I use 
it all the time! 


— — — — — ee a ow ee Oe OD 


Let's get real. No matter what, strace 
Prints too much damn output. Use 


is for 


output ! 
il show you Filenames instead of just 


numbers | 


Putting it all together: 


Want to spy on an ssh session? 


wei iw — s —  — s 


' Strace -o too_-much_ stuff. txt 


|a» = — —— ~ — — — — — — — — — — — 


w Q ~o <. ~ -. ele -- 


and sort through it later. 


Have no idea which file the file 
descriptor “3” refers to? | De is 


a. flag in newer versions of and 


_- æ æ m — — —” me er 


1 u= oe oy eee ss — = — a Sige 


— — — — — — — — — ae ee — 
een ean — a — 


Want to see what files o. Dropbox sync process is opening? 
(with PID: 230) 


ee O ë ë 


l 
istrace -f -p230 -e open } 


— — — —  — — — — — — — . — 


That's it) Nou you're. a 


“WIZARD: _ 


Ta ysl 


More Seriously, there's obviously a TON more to 
learn about operating systems and many Further 
levels of wizardry. But T find just strace by itself to be 
On incredibly useful tool. 


And so fun) On a |2-hour train ride from 
New York to Montreal, I had no book and no internet, 
so 1 just started stracing programs on my computer 


and I could totally see how the killall program works 
without reading the source code or ANYTHING. 


and it helps me debug all the time Q 


< happy stracing * 


Resources + FAQ 





Tve written like 7 posts about 
strace because L hove on 
Un healthy obsession. They're at 


— — = ~ _ — —— —— — — —-— 1 


' )VnS.ca. /categories/strate | 


la < < s s s 


(In) Frequently asked questions: 


Q: Ts there strace on OS X? 


> 


A: No, but try dtruss/dtrace T 
Q: 
A 


: Yup! Lf you do, you Il Find out that strace uses 


Can L strace strace? 


the ptrace system call to do its magic. 


: Should I strace my production database? 
: NONONONO. Lt will slow down your 


database a LOT. 


: Tstherea way To trace System calls 


that won't slow down mu pro grams? 


A: Sometimes you can vse iperf trace! on 


newer Linux versions. Or bpftrace! 


like this ? 
More zines at 
http://jvns.ca/zines 
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